News

Germany Imposed Its First GDPR Fine

A hacker attack that led to a database leak on a German website with about 808,000 email addresses and more than 1.8 million usernames and passwords has provoked the first German fine to be imposed regarding the parameters of the European GDPR regulation. The penalty was € 20,000 and was imposed by the Baden-Württemberg Data Protection Authority.

The online platform Knuddels.de, known in Germany as a website for dating and flirting, has suffered a serious hacker attack in July this year. The data stolen by the hackers were then published online in clear form.

In the summer a Knuddels.de`s employee reported that this cybersecurity breach affected all users who had a current platform service account or chat username on 20 July 2018.

Then a post from another company`s employee said that 330,000 email addresses were confirmed to be real and leaked online. The employee also claimed that after Knuddels learned about the data leak on Pastebin and Mega Cloud Storage service, they have improved security measures, warned consumers and reset their passwords.

However, following the scandal of this hacker attack, it became clear that the website does not apply any kind of protection of sensitive information such as passwords, for example, and stores them in clear unencrypted text.

The fine imposed on Knuddels.de was the first in Germany issued under the European Union's General Data Protection Regulation (GDPR), which entered into force in May this year.

Let us remind you that in the case of cybersecurity incidents, the GDPR provides for fines of up to € 20 million or 4% of the annual revenue of the prior fiscal year, whichever is higher, but also in the light of the seriousness of the breach and the guilt of the company.

The calculation of the sanction also takes into account the number of persons affected, the nature of the incident, what action was then taken to mitigate the damage, the cooperation with the supervisory authority, the preventive measures, the infringement protocols, as well as the notification to the data protection authority.

Apparently, Knuddels.de has taken care of almost all of the GDPR's requirements but obviously, the company was not quite in line with the European data protection regulation to defend itself from a sanction. The company has not complied with the data security standards specified by Article 32, letter a) of the GDPR regarding pseudonymization and encryption of users personal data.

According to German data protection authorities, Knuddels.de has been able to prove the efforts made for exemplary transparency, cooperation and was quick to implement security upgrades.

Stefan Brink, the State Commissioner for the Baden-Württemberg Data Protection and Freedom of Information (LfDI) commented on the sanction that the institution he is managing does not participate in a competition for the highest possible fines because the end goal is to improve privacy and data security for the users.

At first flash, Knuddels was just clapped in the wrist with this surprisingly low fine, but on the other hand, we have to note that this was not the only consequence of the hacker attack. The company has entered into an unforeseen and serious financial overpayment to patch the website`s software vulnerabilities and ensure that this severe data cybersecurity breach has an as little impact as possible on its users. All these actions Knuddels has managed to accomplish over the past few weeks, which was an achievement, moreover, it had to implement additional security measures in coordination with the authorities.

If Knuddels had been able to fully comply with the GDPR requirements, however, it would not be faced with these unplanned security improvements that led to a significant financial burden, and indeed it would not have suffered the public shame to get into the news as the first fined company in Germany on GDPR. Therefore, AMATAS have to remind you that it is solely and personally your responsibility to maintain the good level of cybersecurity of the data collected and stored by your company. Underestimating cyber threats now can cause irreparable financial and image damage to any business, regardless of its size.

Against the backdrop of the latest news, however, we must ask ourselves - who will be the first fined in Bulgaria under the GDPR requirements?